The certificate on a USB token is not visible from a service. How do I use such certificate?
It often happens, that you plug a hardware device (smartcard or USB cryptotoken) and access its certificates via TElWinCertStorage in a UI application. But when you copy your code to a service application, the certificate is not accessible.
This is a common situation with hardware. The problem is that cheap user-oriented hardware (cryptocards and USB tokens) usually maps the certificates to CryptoAPI's MY certificate storage of the "current user". If you plug the device as an interactive user (and you do this always), such certificate is not accessible from under other accounts, such as SERVICE or SYSTEM accounts.
The possibility to use the certificate via CryptoAPI and TElWinCertStorage in this scenario depends on whether the hardware's controlling software can be configured to map certificates to other accounts or to Local Machine (rather than Current User) storages.
If you can reconfigure it, then there's a chance for your approach to work. If you can't reconfigure it, then using PKCS11 is the only way to solve the problem.